Hello
Please provide an option to return nothing when "ANY" queries are made.
Some dns provider do not reply anything to "ANY" queries; see for example here:
https://blog.cloudflare.com/deprecating-dns-any-meta-query-type
It would be great to have such an option in unbound.
I used a python script but then realised that the performance with resperf drops to less than 50% when using the python script.
With pyhton enabled: 7000 qps
Without the python script: ~15000 qps

Hi,
Unbound already implements another of the RFC recommended options for denying query type ANY, which is where it responds with a small amount of items from the cache. This is protocol conformant, and gives a small response.
Best regards, Wouter

Hi Wouter
Thanks for your answer. I know that unbound already supports RFC conformant small ANY responses.
In my opinion, this can lead to a bit strange results, because when you do for example:
dig A test.com
and then
dig ANY test.com
you get:
;; ANSWER SECTION:
test.com. 3571 IN A 69.172.200.235
test.com. 7171 IN NS ns65.worldnic.com.
test.com. 7171 IN NS ns66.worldnic.com.
However, if you do first
dig ANY test.com
you get
;; ANSWER SECTION:
test.com. 3600 IN A 69.172.200.235
test.com. 7200 IN TXT "google-site-verification=kW9t2V_S7WjOX57zq0tP8Ae_WJhRwUcZoqpdEkvuXJk"
test.com. 7200 IN NS ns66.worldnic.com.
test.com. 7200 IN NS ns65.worldnic.com.
test.com. 7200 IN SOA ns65.worldnic.com. namehost.worldnic.com. 118062110 10800 3600 604800 3600
test.com. 7200 IN MX 30 lastmx.spamexperts.net.
test.com. 7200 IN MX 20 fallbackmx.spamexperts.eu.
test.com. 7200 IN MX 10 mx.spamexperts.com.
So I think an option to just deny ANY queries would make more sense.

Hi,
The option deny-any: yes is added to unbound.conf, and it responds with an empty message to type ANY queries. The default is no, and the old behaviour is what happens when the option is disabled. Thanks for the report, I hope it makes the handling of annoyance traffic easier.
Best regards, Wouter

(In reply to publicarray from comment #4)
> Thanks Wouter for adding this option. To improve this further I think a
> small INFO response is better than a completely (valid) empty response.
> Having a small INFO response informs users why the response is empty. See
> https://tools.ietf.org/html/draft-ietf-dnsop-refuse-any
Or how about set the send the Rcode to 4 (NOTIMP) ?